Cross-platform Attacks Discovered on Google Play

Earlier this month, SecurityWeek’s Brian Prince wrote about Kaspersky Lab’s discovery of malware that is capable of jumping from Android devices to Windows PCs, turning the computer into a live microphone. As it turns out, this isn’t the only type of cross-platform attack that worked itself into Google’s application store.

Researchers at NQ Mobile have discovered another case of Android to PC malware, one that leverages the device’s USB connection to deliver a number of payloads, including keylogging or remote access.

“In this case, the malware hijacks a legitimate Android cache-cleaning app and comes to life when syncing the device with a PC via the USB port. And the motive seems to be all about money: the malware can be used to allow cyber criminals to access the machine and the sensitive data it holds or even capture keystrokes. The worm can also copy itself to all the PC’s drives, including removable ones such as flash drives, as well as mapped network drives – and even disable your Windows anti-virus software,” the company explains.

In a brief research post on the topic, NQ explains that the malware’s data capturing functions are written to encrypt and transmit the compromised data to locations in the Ukraine, Russia, or Brazil.

On version 4.2 of Android, Google introduced a function called Verify Apps, which disallows or warns users before potentially harmful software is loaded on the device. However, recent research (which NQ did not cite fully) is said to show that only 15% of known malware is blocked with this feature.

“If you make your living developing mobile malware, and you spent hours looking for ways to quickly and efficiently multiply your demons, it would make logical sense to design them so they are able to transmit themselves between a PC and a mobile device. It was only a matter of time,” NQ researchers wrote in a blog post.

When it comes to these types of attacks, the criminals are targeting the Auto Run feature on Windows. Systems that are patched with Microsoft’s AutoRun fix from 2011 (XP and Vista) are immune to this attack. On Windows 7 and 8, Auto Run is disabled by default – so the attack will fail there as well, as long as users have not altered the settings.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.